A widely-publicised Drupal flaw dubbed "Drupalgeddon2" has been exploited to cryptojack more than 340 government, corporate, and university websites.
The wave of attacks has seen high level sites - including those belonging to computer maker Lenovo and a slew of US Government internet properties - compromised in order to force internet visitors to mine cryptocurrency.
An independent researcher, Troy Mursch, found a total of 348 infected websites, and commented on his blog that the cause seemed clear: “Using the bulk scan feature of urlscan.io, it became clear these were all sites were running outdated and vulnerable versions of Drupal content management system. The affected sites varied by hosting providers and countries and no specific one appeared to be targeted.”
Mursch investigated the compromises and found a common Java injection attack, leading to a “slightly throttled implementation of Coinhive”, a Java-based browser miner, hosted on vuuwd.com. The obfuscated code forced visiting browsers to mine Monero cryptocurrency with 80 percent of their CPU resources.
The extremely critical Drupal content management system vulnerability responsible (CVE- 2018-7600) was patched in March, but if left unpatched allows anyone on the Internet to take complete control of vulnerable servers simply by accessing a URL and injecting publicly available exploit code. The remote-code element is reminiscent of a 2014 flaw dubbed "Drupalgeddon” that saw widespread attacks on vulnerable servers.
Bob Egner, vice-president at Outpost24 told SC Media UK: “One of the reasons that these systems are being compromised is the security hygiene best practices are not being followed. From the work we do with our customer base, it's not the case that the security team is falling short on assessment of known assets. Rather, it's that the business is making more technology decisions and purchases without including the security team in the process. It's difficult to monitor and patch the systems you don't know you own.
“We regularly advise our customers and security leaders to step back and look at the basics – what assets do you own, how critical are they to your business, and how can you reduce the cyber-security exposure to the lowest level with the least amount of effort.”
Anyone running Drupal is advised to update their system as soon as possible, with a full rundown of the vulnerability here. The Drupal developers note -ominously - that “Sites not patched by Wednesday, 2018-04-11 may be compromised. This is the date when evidence emerged of automated attack attempts…”